Bug #5881
closed
CVE-2014-3491 - XSS from create/update/destroy notification boxes
Added by Dominic Cleal over 10 years ago.
Updated over 6 years ago.
Description
possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted
How reproducible:
always
Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
Name: test<script>alert('HI')</script>
Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters list
Actual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)
Expected results:
Submit button should not execute javascript
Files
- Subject changed from XSS from create/update/destroy notification boxes to EMBARGOED: XSS from create/update/destroy notification boxes
This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources. I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.
The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.
(I've also seen this when deleting config groups and templates, it's a problem generally with the process_success type notifications.)
- Status changed from New to Assigned
Rails automatic escapes/sanitizes text strings when saving to the db, so this is the reason of the "strange formatting"
I emailed patch.
Please just attach the patch for review here, thanks.
Attached is the v1 patch.
Works well, though could we escape the HTML rather than sanitizing it? Just so the actual name fully shows up.
I looked into the index name display, it's just a bug in the ancestry_helper, pretty sure it's harmless. I'll file another bug once this is unembargoed.
- Translation missing: en.field_release set to 16
new patch attached that uses CGI::escapeHTML rather than ActionController::Base.helpers.sanitize
- Subject changed from EMBARGOED: XSS from create/update/destroy notification boxes to EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes
- Status changed from Ready For Testing to Pending
- Target version changed from 1.8.2 to 1.8.1
- Translation missing: en.field_release changed from 16 to 19
Updated patch to fix tests, backported to 1.4-stable.
- Subject changed from EMBARGOED: CVE-2014-3491 - XSS from create/update/destroy notification boxes to CVE-2014-3491 - XSS from create/update/destroy notification boxes
- Private changed from Yes to No
- Status changed from Pending to Closed
- % Done changed from 0 to 100
Fixes committed to 1.4-stable, 1.5-stable and develop.
Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.
- Related to Bug #6351: <br /> seen in UI errors when multiple errors exist on a resource added
- Related to Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...> added
- Related to Bug #6903: "<br/>" in text when receiving error while deleting multiple hosts added
Also available in: Atom
PDF